Support 100 years of independent journalism.

Advertorial feature by BlackBerry
  1. Spotlight
  2. Cybersecurity
8 May 2019updated 08 Sep 2021 3:50pm

Creating a culture of resilience

Campbell Murray, global head – BlackBerry Cyber Security Delivery, explains why businesses must acknowledge the reality of digitised threats and plan for them accordingly.

By Campbell Murray

To accept that a cyber security breach is a matter of when, rather than if, represents a realistic rather than defeatist outlook. As technology evolves, so too does the sophistication of its users, especially those in a leadership position; and in an increasingly digital age in which most industries and businesses have moved online, why should crime be an exception? According to research by SonicWall, since the WannaCry ransomware attack in May 2017, which disrupted up to 70,000 devices across the National Health Service, incidents of ransomware globally have increased by 44 per cent.

Cyber security, once an airy concept exclusive to IT department patter, has since become a necessary consideration for company boards. The increased adoption of cloud technology and the shift to paperless offices means that vast swathes of customer and staff data, both commercial and personal, are now stored online. Being able to manage and protect that data effectively is paramount to not only a company’s functionality but its credibility as well. People don’t want to use products and services they feel are unsafe.

Given the changing landscape of online threats, cyber security must progress to cyber resilience – that is the capacity a company has to withstand and overcome the impact of a breach. As much as this is to do with technology – the right software, encryption and firewalls are obviously all very important – delivering true cyber resilience also depends on people. There is a direct correlation between a breach’s impact on a business and the speed and nature of its response.

The cyber security “skills gap” is, at this point, a well-worn term. To call it an industry crisis is not an exaggeration. If companies fail to arm their employees with adequate cyber-resilient skills, the consequences could be catastrophic. Companies must view their staff as potentially vulnerable access points and routinely train and upskill the workforce. This shouldn’t be viewed as distrust as much as it should be considered damage limitation. Mistakes happen, but regular training can help to keep staff on their toes and ahead of the game. Precautionary measures for staff can range from the simplicity of changing passwords regularly, at work and at home, to hiring specialists to look after a company’s digital assets.

Too often, cyber security has been bolted onto products as an afterthought. Shifting the conversation towards cyber resilience would mean embedding protection measures into technologies and software from the start, as they are built. Many organisations, including banks and the NHS, are still using antiquated legacy computer systems, which are simply not compatible with the latest security measures necessary to keep pace with developing threats.

Select and enter your email address Quick and essential guide to domestic and global politics from the New Statesman's politics team. A weekly newsletter helping you fit together the pieces of the global economic slowdown. The New Statesman’s global affairs newsletter, every Monday and Friday. The New Statesman’s weekly environment email on the politics, business and culture of the climate and nature crises - in your inbox every Thursday. Your guide to the best writing across politics, ideas, books and culture - both in the New Statesman and from elsewhere - sent each Saturday. A newsletter showcasing the finest writing from the ideas section, covering political ideas, philosophy, criticism and intellectual history - sent every Wednesday. Sign up to receive information regarding NS events, subscription offers & product updates.
  • Administration / Office
  • Arts and Culture
  • Board Member
  • Business / Corporate Services
  • Client / Customer Services
  • Communications
  • Construction, Works, Engineering
  • Education, Curriculum and Teaching
  • Environment, Conservation and NRM
  • Facility / Grounds Management and Maintenance
  • Finance Management
  • Health - Medical and Nursing Management
  • HR, Training and Organisational Development
  • Information and Communications Technology
  • Information Services, Statistics, Records, Archives
  • Infrastructure Management - Transport, Utilities
  • Legal Officers and Practitioners
  • Librarians and Library Management
  • Management
  • Marketing
  • OH&S, Risk Management
  • Operations Management
  • Planning, Policy, Strategy
  • Printing, Design, Publishing, Web
  • Projects, Programs and Advisors
  • Property, Assets and Fleet Management
  • Public Relations and Media
  • Purchasing and Procurement
  • Quality Management
  • Science and Technical Research and Development
  • Security and Law Enforcement
  • Service Delivery
  • Sport and Recreation
  • Travel, Accommodation, Tourism
  • Wellbeing, Community / Social Services
Visit our privacy Policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications.

Having said that, it should be appreciated that installing new cyber security systems comes at a cost, and in some cases, such as with smaller businesses, the cost of replacing proprietary software entirely may prove prohibitive. This brings us back to the point about resilience. So, how can we make existing systems stronger?

There are available and simple techniques that are very efficient methods of identifying legacy systems. Isolation and strict access control are also important and underline the importance of the role of cyber security engineers. Systems that are no longer supported with patches should be quarantined from any other system environment, particularly end point networks. A single legacy vulnerability, after all, can be the gateway for malware and other attack vectors to spread extensively and rapidly.

Hardening and monitoring are crucial to building cyber resilience. Hardening means disabling unnecessary services and implementing least privilege concepts to limit exposure. Even legacy operating systems such as Windows 2003 can be hardened to a degree through applying an effective engineering lens to the problem with SDLC and threat modelling practices. The purpose of security monitoring, meanwhile, is to ensure that the system fulfils the defined security baseline and detects suspicious activities as swiftly as possible. Since many cyberattacks tend to coincide with starting or stopping processes, monitoring should involve authentication tests and continual authentication solutions are readily available.

It is ignorant and arrogant for a company to believe it will never be breached. And it is worth noting that the nature of a cyberattack is intrinsically unpredictable. WannaCry happened on a Friday afternoon. So-called “zero day” breaches are one worst-case scenario. Zero day breaches are up until that point an unknown exploit within software or hardware and cause complicated problems well before anyone realises that something is wrong. Cyber resilience entails being prepared for a threat you’ve never heard of before.

The main goal of business continuity management is to keep a company running smoothly and limit the amount of time it spends out of action. As well as having a forensic strategy in place – data recovery and intelligence specialists should always be on the staff if possible – there must also be a measured public relations element to any response.
Panic prevention is vital. Companies must agree their messaging to their customers as quickly as possible and take heed of previous PR disasters. Being concise and honest with customers about the scale and severity of an attack is a strategy that will yield longer-term reputational and trust benefits than playing something down, only to come unstuck as more information is learned about a breach. Backtracking can deal a hammer blow to credibility.

Ultimately, cyber resilience is not mitigating or tolerating weaknesses. It should instead be thought of as responses maturing alongside threat levels. Therefore, inculcating good cyber hygiene amongst staff, having the right kind of staff employed and the right security technologies in place from the onset, and having a clear-cut PR strategy, are all essential planning for any business hoping to stand any chance of surviving, let alone succeeding in the digital age.

To read BlackBerry’s latest whitepaper on cyber security, click here.

Campbell Murray is global head – BlackBerry Cyber Security Delivery. He joined the organisation in February 2016, as part of the acquisition of Encription Ltd, where he was a founder and director. Campbell has over 20 years’ cyber security experience and has been involved with every aspect of the industry in that time, but with a noticeable focus in offensive security techniques and security engineering in the IoT, industrial and transport arenas.

Topics in this article :